Output PURLs for components

[ErinvanderVeen]

CycloneDX analysis programs like snyk use the purls of the components to lookup CVE's to report, there exists no nix PURL (yet). But as an alternative we can use the generic PURL Type, which we can extract from the src attribute of derivations. This might result in false positives (because Nixpkgs often includes its own patches into the source), experimentation is needed.

Subtask of #2